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[57] ABSTRACT 

A secure memory card includes a microprocessor on a 



single semiconductor chip which interconnects through 
an internal bus to a number of non-volatile addressable 
memory chips. The microprocessor includes an ad- 
dressable non-volatile memory for storing information 
including a number of key values and program instruc- 
tion information. Each chip*s memory is organized' into 
a number of blocks, each block including a number of 
rows of byte locations. Each row of each block further 
includes a lock bit location, the total number of which 
provide storage for a lock value uniquely coded to 
utilize a predetermined characteristic of the memory to 
ensure data protection. Each memory chip is con- 
structed to include security control logic circuits which 
include a security access control unit and a volatile 
access control memory containing a plurality of access 
control storage elements. Under the control of a prede- 
termined set of instructions, the security access control 
unit performs a predetermined key validation operation 
by comparing key values against the bit contents of lock 
bit locations read out a bit at a time during an authenti- 
cation procedure with a host computer. After the suc- 
cessful performance of the key validation procedure, 
the microprocessor sets one of the storage elements of 
the volatile access control memory for enabling user 
access to block data. 

20 Claims, 8 Drawing Sheets 
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device is also under the control of the thief. To make 

SECURE MEMORY CARD WITH PROGRAMMED matters worse, technology now allows and encourages 

CONTROLLED SECURITY ACCESS CONTROL the carrying of enormous amounts of sensitive informa- 
tion on one's person where it is subject to mishap. 

RELATED PATENT APPLICATION 5 Also, today's notebook and subnotebook sized com- 

The patent application of Thomas O. Holtey and P^ers provide a free standing ; environment having sig- 

Peter J. Wilson entitled, "Secure Memory Card," filed nificant computing power which has created a need for 

on Oct. 14, 1992, bearing Ser. No. 07/960,748, now U.S. additional data storage capability. This need has initially 

Pat. No. 5,293,424 which is assigned to the same as- been met by nuniature hard disk devices which can hold 

. signee as this patent application. 10 both programs and data. While password protection is 

The patent application of Thomas O. Holtey entitled, often used in these systems, it does not completely pro- 

"A Secure Application Card for Sharing Application tect sensitive data because, first, the authentication 

Data and Procedures Among a Plurality of Micro- agent is vulnerable. But, more significantly, the disk 

processors, filed on Jan. 14, 1994, bearing Ser. No. device containing the data can be physically removed 

08/181,684, which is assigned to the same assignee as 15 and accessed in a setting more conducive to analysis. In 

this patent application. this case, data has been protected by employing some 

^ . ^ mx ™ XT form of encryption. The nature of disk access makes this 

BACKGROUND OF THE INVENTION encountering undue cost or per for- 

1. Field of the Invention mance barriers. An example of this type of system is 
This invention relates to the field of portable personal 20 described in U.S. Pat. No. 4,985,920 entitled "Inte- 

computers and more particularly to systems for main- grated Circuit Card". 

taming data security in a portable digital information The recent emergence of the flash memory and re- 
environment, movable "memory cards" have allowed major reduc- 

2. Prior Art tions in size and power requirements of the portable of 
The security of personal information has always been 25 ^ portat> i e com p U ter. The flash memory combines the 

concern. Historically, it has been safeguarded through flexibility of random access memories (RAMs) with the 

the use of signatures, credentials and photographs. permanence of disks. Today, the combining of these 

Electronic devices such as automatic banking machines technologies allows up to 20 million bytes of data to be 

have added encoded cards and personal identification stored ^ihxmt poW er, in a credit card size removable 
numbers (PINs) to the repertoire of security tools. 30 package ^ data ^ be made to appear to a host 

Computers continue to use passwords. m dther ^ if it were stored on a conve ntional disk 

More recently, the "Smart Card" has been used as a driye Qr if ft were stQred in m extension of the host 

security tooL The "Smart Card" is a small microcom- system's memory 

puter with writable, non-volatile memory and a simple * technological developments have made further 

mput/output interface ^^^^^1^ ™* reductions m size P ossible to the extent that the 

embedded m a plastic * credit card It h* ; exten or pins £ cm be Qn ^ ^ ^ 

to allow it be connected to specially designed equip- ^ ^ vulnertWe to 

ment. The program contained m the loss or theft md more difficult to protect memory 

Duter interacts with this equipment and allows its non- . . . _ . ^ r *, 

volak memory data to be read or modified according 40 data by encryption since this presents major cost and 
to a desired algorithm which may optionally include a performance barriers. 

password exchange. Special techniques have been im- . Accordingly, it is a pnmary object of the present 
Jlemented to protect tiie memory data and to allow ™enuon to provide a portable digital system with a 
permission variations according to the situation. For se^re memory subsystem 

example, U.S. Pat. No. 4,382,279 entitled, "Single Chip 45 It is a further object of the present invention to pro- 
Microprocessor with On-Chip Modifiable Memory" vide a memory card whose contents can be protected if 
discloses an architecture which permits automatic pro- removed from a portable digital system, 
gramming of a non-volatile memory which is included It is still a further object of the present mvennon to 
on the same chip as a processing and control unit As in provide a memory card in which the data contents of 
other systems, the microprocessor only protects mem- 50 the chips of the card are protected if removed from 
ory on the same chip. such card - 1 . _ . . . 

The "Smart Card" has been used both to facilitate the It is a more specific object of the present invention to 
process of identification and to be the actual site of the provide a secure memory subsystem which can be eas- 
valued information. In this situation, as in most prior ily fabricated due to simplicity m design, 
situations, physical presence of a "key" as well as some 55 SUMMARY OF THE INVENTION 

special knowledge has been used as part of the verifica- 
tion or authentication process. In such cases, idenufica- The above and other objects of the present invention 
tion has involved a dialog between the person desiring are achieved in the preferred embodiment of a secure 
access and a fixed agent such as a security guard and an memory card described in the above reference related 
automatic teller machine. 60 patent application to Thomas O. Holtey, et al. The 

The current state of portability of free standing com- secure memory card includes a microprocessor on a 
puting devices makes it possible for both the physical single semiconductor chip and one or more non-volatile 
key and the authentication agent to be small, portable addressable memory chips. The microprocessor chip 
and hence more subject to loss or theft. Further, com- and non-volatile memory chips connect in common to 
puting devices make it possible to perform repeated 65 an internal bus for transmitting address, data and con- 
attempts to guess or deduce the special knowledge or trol information to such non-volatile memory chips, 
passwords associated with the identification process. The microprocessor includes an addressable non- 
This is especially true if the authentication agent or volatile memory for storing information including a 
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number of key values and program instruction informa- second range. Moreover, such processing normally 
tion for controlling the transfer of address, data and only takes place during system initialization, 
control information on the internal bus. According to the teachings of the present invention, 
According to the teachings of the present invention, the key values are selected so that the first bit of every 
the chip memory is organized into a number of blocks, 5 key value is set to a predetermined state which utilizes 
each block having a number of rows, each containing a a predetermined characteristic of the memory chip, 
plurality of addressable byte locations. Each row fur- More specifically, in the memory of the preferred em- 
ther includes a single lock bit location which coliec- bodiment, when the memory is erased all bits are set to 
tively with the other row lock bit locations provide ones and writing into the memory can only change the 
storage for a significant number of lock bits within each 10 ones t0 2eros but can not change the zeros back to ones, 
block with little increase to the size of the chip memory. Th e present invention uses this characteristic by requir- 
The lock bits are uniquely coded to utilize a predeter- ing that the first bit of every key be set to this predeter- 
mined characteristic of the non-volatile memory which mined state (i.e. zero) which will serve as the protection 
ensures data protection. bit for each blockf F urt her, the keys are coded accord- 
Also, according to the present invention, each mem- 15 ing to a predetermined protocol which further ensures 
ory chip is constructed to include security control logic prot ection. In the preferred embodiment, the protocol 
circuits which include a volatile access control memory uses rules similar to thosc utihzed in a well 
having a plurality of access control storage elements mun ications protocol such as the High-level Data Link 
and a programmable security access control unit con- Contro| (H DLC) communications protocol. That is, 
taming a small number of circuits for carrying out a key 20 each key value bit sequen ce is coded to contain less than 
validation operation. More specifically, under the con- a predetermined number of successive ONE bits with 
trol of a predetermined set of instructions, the security the tion of a n field which the de _ 
access control unit performs a predetermined key vali- temined number of successive ONE bits . If bits of 
dation operation for a protected block by senally com- ^ end m ^ ^ - t ^ nQt fec ible 
paring the bits of a key value against the bit contents of 25 detect ^ end ^ vahje and accesg ^ & 
lock bit positions of the memory block read out in re- ^ ^ . f J y ^ ^ * ^ key ^ 

sponse to such instructions. are tampered with, there will be a mismatch between 

This validation operation is earned out with a host , . Y . . . 

computer as part of a predetermined authentication the A ock and ke * va ues preventing access 

procedure. It * only after the successful performance of 30 A1 K S0 ' *?™ dm * ° the f TCS f n » vcat,on - * S *f 

such procedure, can the microprocessor set the associ- number ° f Afferent types of instructions are utihzed to 

ated volatile access control memory access control out * ke f validation operation. These include a 

element of a block for enabling the user access to read first tv P e of mstruction which is performed once by the 

out information from the protected block. microprocessor to begin a key validation operation. If 

As in the case of the related patent application, peri- 35 the memor y bk ><* 18 » ot protected^ is the only in- 
odically, the user can be required to successfully per- structl0n t0 be executed. The microprocessor 
form an authentication procedure with the host com- e * ecutes * secon ? ^truction, one for each bit m 
puter, and allowed to continue reading information as the sequence of key bits. Each second type of instruc- 
allowed by the access control memory. In the preferred tl0n causes one blt of the kev blt sequence to be corn- 
embodiment, the host computer couples to the memory 40 pared with a corresponding lock bit of the sequence of 
card through a standard interface such as an interface lock blts stored ™ the block lock locations. The 
which conforms to the Personal Computer Memory microprocessor completes the key validation operation 
Card International Association (PCMCIA) standards. *>Y executing a third type of instruction. This instruction 

The security logic circuits of the preferred embodi- causes the sampling of the accumulated companson 

ment contain a minimum amount of logic circuits which 45 result stored in the accumulation companson flip-flop, 

include a number of lock bit locations corresponding to tests the end counter, and sets the block access control 

one per memory row of each block, an end counter, a memory bit only when the results are correct (i.e. when 

comparator and a compare accumulation flip-flop and the counter and accumulation companson flip-flop are 

an access control memory containing one bit location or m the correct states). 

flip-flop for each memory block. The end counter is 50 Also in the preferred embodiment, the same set of 
used to count successive ONE bits in the lock bit loca- instructions can be modified when required to be used 
tions of a block for detecting the end of a stored key during the fabrication of the memory card or during a 
value. The comparator and compare accumulation flip- selective block erase operation. That is, instead of read- 
flop respectively, compares each data bit presented by ing out the bits of a key value, the instructions can be 
an instruction to the lock bit stored in a corresponding 55 used to cause the writing of the key value bit sequence 
one of the lock bit locations and accumulates the result into the lock bit positions of a memory block following 
of the series of successive comparisons made therebe- an erase operation. . 

tween. The present invention expands the capabilities of the 

The present invention eliminates the need for parallel secure card of the related patent application by provid- 

data paths, parallel data comparators and large register 60 ing an independent lock for each block of memory, 

widths for storing long key values selected to provide Also, it permits the use of variable length key values as 

greater protection against guessing. In the preferred a function of the amount of protection to be accorded to 

embodiment, each block can provide a maximum key the information being protected. Further, the present 

length of 8 kilobits. This is done without having to be invention requires substantially less circuitry, making it 

concerned with the problems of providing wider paral- 65 easier to construct and less costly. As in the case of the 

lei paths or large register widths. Further, with the related patent application, it melds the "Smart Card" 

speed of today's microprocessors, the time required to and "memory card" technologies which is key to allow- 

process large key lengths remains well under the sub- ing the protection of large amounts of data made possi- 
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ble by flash memory technology in the "security harsh" present invention provides a protection technique 

environments created by electronic mimaturization, which supports this new standard by providing rapid 

The present invention also retains the features of the access to random memory locations without resort to 
secure card of the related patent application relative to encryption techniques. By controlling the data paths 
being capable of operating in both secure and non- 5 which carry the data from the memory array to the 
secure modes, eliminating the need for encrypting and host, the memory card of the present invention protects 
decrypting data, and protecting memory data if the card the data without imposing any time-consuming buffer- 
or its host processor is lost, stolen, powered off or left ing, decryption or other serial processing in this path, 
unattended. In the event of theft, the memory data is Typically, a user operates system 1 from the key- 
protected from access even if the memory card is 10 board 5-4 to perform the typical operations such as 
opened and probed electronically or the memory chips spreadsheet and database functions which display infor- 
are removed and placed in another device. mation on display 5-2 and update information stored in 

The above objects and advantages of the present files in memory card 3. The host processor 5 sends 

invention will be better understood from the following address information over bus 102 to retrieve informa- 

description when taken in conjunction with the accom- 15 tion and if desired, updates the information and sends it, 

panying drawings. along with the necessary address and control infonna- 

BRIEF DESCRIPTION OF THE DRAWINGS ^l^ry card 3 of the pros- 

FIG. 1 is a block diagram of a system which incorpo- ent invention includes an access control processor 
rates a memory card constructed according to the pres- 20 (ACP) 10 which couples to bus 105 and a number (n) of 
ent invention. CMOS flash memory chips 103a through 103/t, each 

FIG. 2 shows in greater detail, the access control coupled to bus 105. ACP 10 is typically the same type of 
processor (ACP) of FIG. 1 including the organization processing element as is used in the "Smart Card". The 
of its non-volatile memory. CMOS flash memories 103a through 103/1 may take the 

FIG. 3 shows in block diagram form the standard 25 form of flash memory chips manufactured by Intel Cor- 
flash memory of FIG. 1 modified according to the poration. For example, they may take the form of the 
teachings of the present invention. Intel flash memory chip designated as Intel 28F001BX 

FIG. 4 shows in greater detail, the flash memory of 1M which includes eight 128 Kilobyte X 8-bit CMOS 
FIG. 3 constructed according to the teachings of the flash memories. Thus, a 4 Megabyte flash memory card 
present invention. 30 could include 32 such flash memories (i.e. n=32). For 

FIG. 5 is a table used to explain the operation of the further information regarding flash memory compo- 
memory card of the present invention, nents, reference may be made to the article entitled, 

FIGS. 6a through 6c are flow charts used to explain "Flash Memory Goes Mainstream " published in the 
the modes of operation of the memory card of the pres- October, 1993 issue of the IEEE Spectrum publication, 
ent invention. 35 



ACCESS CONTROL PROCESSOR 10 



DESCRIPTION OF THE PREFERRED 
EMBODIMENT 



FIG. 2 shows in block diagram form, the access con- 
trol processor (ACP) 10 of the preferred embodiment 
FIG. 1 is a block diagram of a secure portable hand- As shown, ACP 10 includes a protected non-volatile 
held computing system 1 usable as a personal computer 40 memory 10-2, a random access memory (RAM) 10-4, a 
or as a transaction processor. System 1 includes a mem- microprocessor 10-6, an interval counter 10-8 and an 
ory card 3 constructed according to the present inven- interface block 10-10 connected to bus 105. Non- 
tion which connects to a host processor 5 by a bus 102. volatile memory 10-2 dedicates a number of addressed 
The host processor 5 may take the form of a palm top locations in which to store authentication information 
persona] computer, such as the HP 95LX manufactured 45 and programs. More specifically, memory locations 
by Hewlett-Packard Company. The host processor 5 10-2a store one or more personal identification numbers 
includes a liquid crystal display (LCD) 5-2, a keyboard (PINs), protocol sequences or other identification infor- 
5-4, a memory 5-8, and a serial interface 5-10, all cou- mation for verifying that the user has access to the 
pled in common to a bus 106. The memory 5-8 includes system, and for identifying the blocks in flash memories 
a one megabyte read only memory (ROM) and a 512 50 103a through 103« that the user may access in addition 
kilobyte random access memory (RAM). to a time interval value used for reauthentication. 

The connection between the memory card 3 and host Memory locations 10-2b store the key values used for 
processor 5 is established through a standard bus inter- protecting each of the flash memories 103a through 
face. In the preferred embodiment, the bus 102 con- 103n or the codes used to protect the individual blocks 
forms to the Personal Computer Memory Card Interna- 55 of each of the flash memories 103a through 103/j. Mem- 
tional Association (PCMCIA) standard. The interface ory locations 10-2c store the program instruction se- 
102 provides a path for transferring address, control and quences for performing the required authentication 
data information between host processor 5 and the operations and for clearing the system if the preset 
memory card system 3 via a standard interface chip 104 conditions for failure are met. 

and a memory card bus 105. Each of the buses 102, 105, 60 Certain program instructions enable the user to con- 
and 106 include a data bus, a control bus and an address trol the setting of the interval counter 10-8 which estab- 
bus and provide continuous signal paths through all like lishes when user reauthentication takes place. The reau- 
buses. For example, bus 105 includes address bus 105a, thentication interval defines the time between interrup- 
data bus 1054 and control bus 105c. tions and for sending an interrupt to the host processor 

The PCMCIA bus standard has evolved from a stan- 65 5 requiring verification of the user's identity by having 
dard which supports disk emulation on memory cards the user reenter the PIN or other password. The inter- 
to a substantially different standard which allow ran- val counter 10-8 receives clock pulses from the host 
dom access to memory data. The memory card of the processor 5 over bus 102 and can be set by the user 
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according to the work environment. For example, at The write state machine 61 controls the block erase 

home, the user may turn the timer off (i.e., set it to a and program algorithms. The program/erase voltage 

maximum value), or set the time interval to one hour. system 62 is used for erasing blocks of the memory 

On an airplane the user may set it for ten minutes for array 54 or the programming bytes of each block as a 

increased protection. The user can be prompted to re- 5 function of the voltage level of VPP. 

examine the setting of this interval at every "power on" Security Section 1038 
thereby forcing periodic reauthentication to enforce 

security. As seen fr° m FIG. 3, section 103S includes a security 

access control unit 30, shown in greater detail in FIG. 4, 

FLASH MEMORIE8 103a through 103* 10 a lock write allow storage element 32, and a volatile 

FIG. 3 shows in block diagram form, flash memory access control memory 43 interconnected as shown. 

103a which is identical in construction to the remaining The output of the access control memory 43 is applied 

flash memories 103b through 103/1. As shown, memory « an enabling input to output buffer 52 during each 

103a includes two sections, a memory section 103M memory read cycle when the contents of a byte location 

organized according to the present invention and a 15 of any block of memory array 53 is being read out That 

security logic section 103S containing the security ac- °l c}e m ^ ?° C}1 [> however, the data read out 

cess control circuits of the present invention. Both sec- ^hibited from passing through output buffer 52 in the 

tions are shown in greater detail in FIG. 4. absence of the appropriate block's access control mem- 

ory gating signal. 

Memory Section 103M 20 More specifically, in the preferred embodiment, ac- 

As seen from FIG. 3, section 103M includes a mem- «*» control memory 43 includes sixteen individually 

ory array 54 organized into sixteen blocks as shown in ^ es ^ „ ^ ^ *° 

m/^ a n ca i™„ 16 bit decoder connected to the input of each storage 

FIG. 4, a command register 50, input/output logic cir- . , * * ^ ^ i.-i * 

, j *i element and a 1 to 16 output multiplexer circuit con- 

cuits 60, an address counter 56, a write state machine 61. , , . * ^ c K_ fc r . ^ r 

* « * «. u- i M 25 nected to the output of each storage element. The four 

an erase voltage system 62, an output multiplexer 53, a , . , A , \- . . - °, - 

. A * . JL J . . ^ r A \ , ~ ' high or most significant bits or each address or certain 

da* register 55, an mput buffer 51, an output buffer 52, ^ instru 4, ns a(Jded to the sfit of m com . 

and a status register -58, arranged as shown. The basic described hereinj are decoded and ^ to % eiect 

logic circuits ot tiasn memory as discussed above, ^ £ e , ement for ^ Wock who$e 

contents are to 

take the form of the type of circuits included m flash 3Q be chan * d Similar , the same four bits are used t0 
memories manufactured by Intel Corporation Since sekct the t of ^ st e , emem for the blQck 
such circuits can be considered conventional in design, containing thc memory location being rcad 
they will only be described to the extent necessary. For j t ^ ^ noted that this section receives command 
further information regarding such circuits, reference contrd signak designated by various hexadecimal val- 
may be made to the publication entitled, Memory 35 ues (i.e. 31H through 33H) from command register 50 of 
Products," Order Number 210830, published by Intel section 103M signals indicate th e different data 
Corporation, dated 1992 as well as other publications of values of the set of commands received by command 
Intel Corporation. register 50 from ACP 10 via data bus 105Z>. As described 
As shown in FIG. 3, the flash memory circuits re- ^ter herein, these commands are an important extension 
ceive a plurality of input address signals A0-A16, data 40 t0 tne sets of commands used by the flash memory. The 
signals D00-D07 and control signals consisting of chip standard flash memory commands take the form of the 
enable, write enable, output enable, power down and commands utilized by the Intel Corporation flash mem- 
erase/program power supply signals CE, WE, OE, ories. 
PWD, and VPP respectively. The functions performed 
by these signals are described in Appendix I. 

4S DETAILED DESCRIPTION OF SECTIONS 103M 

The CE, WE and OE signals are applied to command AND 103S-FIG. 4 

register 50 and I/O logic block 60 from host processor FIG. 4 shows in greater detail, the organization of 

5 via bus 102 and control bus 1056 and dispersed to sections 103M and 103S. As shown, the memory array 

control the indicated logic blocks. The PWD signal is 54 has two sections, a lock bit section 54a and a data 

also applied to command register 50 for enabling the 50 section 546. In greater detail, memory 54 contains I 

flash memory to perform the operations described in megabytes of storage and, as indicated above, is orga- 

Appendix I. Also, this signal can be used to clear the nized into 16 blocks. Each block contains 8K rows and 

volatile storage elements of section 103S as desired each row contains 8 byte locations. According to the 

thereby enforcing user reauthentication when normal present invention, one bit location has been added to 

operation is again resumed. 55 each row to form lock bit section 54a. By extending the 

Generally, the basic logic elements of section 103M number of bit locations in each row from 64 to 65 bits, 

operate in the following manner. Information is stored memory array 54 is -able to store both data and associ- 

in memory array 54 via data bus 105a, input buffer 51 ated lock bit information for protecting such data as 

and data register 55 at an addressed location of one of described herein. 

the memory blocks specified by the address received by 60 As shown, both sections are addressable via address 

address counter 56 from address bus 105c. Information latch counter 56 which is organized into three sections, 

is read from a specified addressed location of a block of A first register section is used to store the most signifi- 

memory array 54 and is sent to host processor 5 via an cant group of address bits designating which block is 

output multiplexer 53, output buffer 52, data bus 105a being addressed. A second section is constructed to 

and bus 102. A status register 58 is used for storing the 65 operate as a both a register and a counter and is used to 

status of the write state machine, the error suspend store and increment by one, the middle significant 

status, the erase status, the program status and the VPP group of address bits designating which row of a block 

status. is being addressed. A third register section is used to 
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store the least significant group of address bits designat- 
ing which byte of a row is being addressed. A multiplex- 
er/demultiplexer circuit 53a which includes the circuit 
of block 53 is used to select the byte location to be 
written into or read as a function of the least significant 5 
address bits stored in address latch counter 56. 

Also, as shown in FIG. 4, security access control unit 
30 of section 103S includes a bit compare logic circuit 
30-1, an accumulator compare flip-flop 30-2 and an end 
counter 30-3 arranged as shown. The bit compare logic 10 
circuit 30-1 is connected to receive as inputs, the lock 
bit contents of the lock bit locations of section 54a and 
key bits applied by ACP 10 via bus 1056. The compara- 
tor circuit 30-1 compares each key bit presented by 
ACP 10 to the corresponding lock bit read out from 
lock bit section 54a and applies the results of the com- 
parison as an input to accumulator compare flip-flop 
30-2 as shown. The flip-flop 30-2 accumulates the re- 
sults of successive comparisons. End counter 30-3 is a 
small counter (e.g. 3 bit) which counts the number of 
successive ONE bits occurring in the string of lock bits 
used to detect the end of the stored key value. 

The lock write allow flip-flop element 32 connects to 
command register 50 and to the program/erase voltage 
system. As discussed herein, whenever a block erase 
operation is performed, flip-flop 32 is set to a binary 
ONE state at the completion of the erase operation. The 
output of the flip-flop 32 is applied as an input to com- 
mand register 50 and establishes when information is 
allowed to be written into the lock bit locations of a 
memory block. 

As indicated, different elements of security access 
control unit 30 receives commands from command 
register 50. As mentioned above, these commands are 
an important extension to the sets of commands nor- 
mally used by flash memory 54. The commands used by 
the present invention will now be described. These 
instructions are described in greater detail in Appendix 
II and now will be discussed. 

The first type of instruction or command is a start 
command which is performed by ACP 10 at the begin- 
ning of a key validation operation for a given block. 
This instruction causes the first bit (LMB0) of the block 
to be strobed into the access control storage element of 
the access control memory 43. The start instruction also 
causes the end counter 30-3 to be reset to zero and to set 
the accumulation compare flip-flop 30-2 to a predeter- 
mined state (binary ONE state) for indicating that a 
comparison failure has not occurred. The start instruc- 
tion also causes the most significant address bits and 
middle address bit applied via address bus 105a to be 
loaded into address counter 56 and ensures that the 
middle address bits are all zero for addressing the first 
bit (lock bit) within the block. The least significant 
address bits are ignored. 

The second type of instruction is a step instruction 
which is performed during a block key validation oper- 
ation once for each bit in the sequence of key bits. If 
there are n key bits in each protected block, then ACP 
10 will execute n second instructions for each key vali- 
dation operation. Each step instruction causes the mid- 
dle significant bits of the address counter 56 to be incre- 
mented by one for readout of a next lock bit from the 
block's lock bit locations. Accordingly, the address 
presented by each step instruction is ignored. 

The step instruction also causes the sampling of the 
outputs of the bit compare logic circuit 30-1 for storage 
of the results of comparing a key bit presented by ACP 
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10 with the next lock bit read out from the memory 
block. Further, it increments the end counter 30-3 by 
one when the lock bit read from the memory block 
contains a one and it compares to the key bit presented 
by ACP 10. When the lock bit read out from the mem- 
ory block is a zero, then the step instruction causes the 
end counter 30-3 to be reset to zero. Also, when there is 
a miscompare, the step instruction resets the accumula- 
tion compare flip-flop to zero. 

The third type of instruction is an end instruction 
which is performed once by ACP 10 to close the key 
validation operation. This instruction causes the sam- 
pling of the states of accumulation compare flip-flop 
30-2 and end counter 30-3. When both are in the correct 
states, the end instruction sets the block's access control 
element of memory 43. More specifically, when the end 
counter 30-3 has reached a maximum count which is 
signaled by the generation of an overflow output signal 
and the accumulation compare flip-flop 30-2 in still in a 
binary one state signaling no miscompare, then the end 
instruction causes the setting of the access control ele- 
ment of memory 43 designated by the most significant 
address bit contents of address counter 56. 

It will be noted that the above discussed instructions 
are also used in conjunction with block erase operations 
which take place during card initial loading or fabrica- 
tion and during selected block erasures. The operations 
initiated during these modes of operation are also de- 
scribed in the action table of FIG. 5 and Appendix II. 
These operations will be discussed later herein in con- 
nection with FIGS. 6a and 6c 

DESCRIPTION OF OPERATION 

The operation of the secure memory card of the pres- 
ent invention will now be described with particular 
reference to the action table of FIG. 5 and the flow 
diagrams of FIGS. 6a through 6c. The sequence of steps 
involved in the fabrication or in the initial loading of the 
memory card are shown in FIG. 6a. This sequence is 
utilized to customize the card for a given application. 
Before describing this operation in detail, the selection 
of key values and the memory erase process will first be 
described. 

During card fabrication or alternatively as a part of 
an initial loading operation, the ACP 10 sets the lock 
values for each of the memory chips on the memory 
card. It does this by loading the key values into the lock 
bit locations of each block of each memory 54 of FIG. 
4. These values are stored in the ACP's protected non- 
volatile memory 10-2 (i.e. keys 1-n in FIG. 2). Also, the 
ACP 10 will have been loaded with configuration infor- 
mation pertaining to the memory's structure and the 
protection levels to be applied to each memory block. 

As previously discussed, the key values for the pro- 
tected memory blocks are selected according to rules 
similar to those of the HDLC protocol. Each key value 
can be of any length -storable within the allocated block 
lock memory area and begins with a binary ZERO 
value followed by the selected sequence of ones and 
zeros which terminate in a string or sequence of 7 ONE 
bits. Thus, the sequence except for the last 7 ones is 
coded so that it does not contain more than 6 consecu- 
tive one bits. 

Before key writing or loading takes place, the flash 
memory 43 must be first erased. This is done to utilize 
the inherent writing characteristic of the flash memory 
to protect the data stored therein. That is, it allows the 
first bit (0th) in each group of lock bit locations of each 
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block which is to be protected to be set to a zero state. 
As these elements are non-volatile in that they cannot 
be changed from a zero state to a one state unless the 
entire block is erased in order to change its contents. 

The Erase Process 5 

In the preferred embodiment, the flash memory 43 is 
erased on a block by block basis. This enables a similar 
erasing process to be used during memory card fabrica- 
tion or loading and to perform selective block erase 10 
operations during card operation. When a block is 
erased, all of its data including the lock bits stored in the 
lock storage area are set to ONEs. If it is desired to 
protect the block, a new lock value must be written at 
this time. That is, it would violate security to allow the 15 
lock bits to be written at an arbitrary time. Therefore, 
the lock write allow flip-flop 32 was included to assure 
that lock bits are only written immediately following a 
block erase operation. 

During a block erase, the most significant bit posi- 20 
tions of the address register counter 56 hold the address 
of the block being erased. At the completion of the 
erase operation, the flip-flop 32 is set to a binary ONE 
state. When set, this flip-flop causes the modification of 
the operation of the start and step instructions so as to 25 
cause the bits presented by such instructions to be writ- 
ten into the lock bit positions in lieu of being compared 
to them. Any instruction except the start and step in- 
structions will cause the resetting of the flip-flop 32. 
Thus, an end instruction is used to reset the lock write 30 
allow flip-flop 32 for terminating the lock bit write 
operation. Also, in this case, the end instruction also sets 
the ACM storage element for that block to a binary 
ONE state, thus allowing access to that block. 

If a block is not to be protected according to the 35 
configuration information held in the ACP 10 memory, 
the execution of any instruction except the start and step 
instructions will inhibit lock bit writing by causing the 
resetting of the lock write allow flip-flop 32. The execu- 
tion of a start instruction will then transfer the Oth lock 40 
bit which equals ONE to the ACM storage element, 
thus enabling access. 

Card Fabrication 

FIG. 6a illustrates how ACP 10 sets the lock values 45 
for each of the memory chips on the memory card. It 
does this by loading the key values into the lock bit 
locations of each block of each memory of FIG. 4. As 
indicated in blocks 600 and 602 of FIG. 6a, the key 
writing/loading operation carried out during card fabri- 50 
cation is begun by addressing the first flash memory 
block followed by the erasure of that memory block. 
The ACP 10 determines from the configuration infor- 
mation defining the memory's protection levels if the 
block is be protected. If it is not to be protected, the 55 
ACP 10 simply loads its contents as indicated in block 
614 of FIG. 6a. 

But if the block is to be protected, ACP 10 causes the 
execution of a sequence of start, step and end instruc- 
tions (i.e. blocks 606-610) for writing the bits of the key 60 
value for the block into its lock bit locations. That is, the 
execution of the start instruction causes a binary ZERO 
to be written into lock bit position LMB0 of the first 
memory block as indicated by block 606 of FIG. 6a. As 
indicated in block 608 of FIG. 6a, the execution of each 65 
step instruction causes a next bit of the key value stored 
in ACP 10 memory to be written into the next lock bit 
location (e.g. LMB1) of the first block. If there are more 
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key bits to be written into the lock bit positions of the 
first block, ACP 10 causes the execution of another step 
instruction. Step instructions are executed until the 
ACP 10 determines that all of the bits of the stored key 
value have been written into the lock bit positions of 
lock memory area for the first memory block. The ACP 
10 makes the determination by detecting that 7 consecu- 
tive ONES have occurred signaling the end of the key 
value. 

As indicated in block 612 of FIG. 6a, upon complet- 
ing the writing of the key value, the ACP 10 executes an 
end instruction which sets the corresponding ACM 
storage element for the first block to a binary ONE state 
for allowing access to the block. Next, the first block is 
loaded with the appropriate data or procedure informa- 
tion for the particular application. As indicated in FIG. 
6a, the operations of blocks 602 through 614 are re- 
peated for each block until all of the memory blocks of 
all of the chips have been processed. 

As in the case of the related patent application, during 
user customization, the user establishes parameters for 
the frequency and mode of authentication and specific 
data required (e.g. personal identification numbers 
(PINs)). This information is also stored in the ACP's 
memory. At this point, the secure memory card is ready 
to be powered up and conduct an authentication proce- 
dure. 

As in the case of the related patent application, a first 
authentication dialog may be initiated by ACP 10. That 
is, ACP 10 using the services of its host processor 5, 
prompts the user and receives authentication informa- 
tion such as a PIN or other identifying information from 
the user. If authentication is unsuccessful, no operation 
is performed. If the authentication is successful, then a 
first key validation operation is performed by ACP10 
for each block to be protected. When the validation 
operation is successfully performed, then the ACP 10 
enables access to the block by setting the corresponding 
access control storage element in access control mem- 
ory 43. 

As a further step, periodically, according to the user's 
configuration, the ACP 10 may prompt an additional 
user authentication (reauthentication). In the event of 
failure, the ACP 10 forces all memory chips to then- 
power on states, thus inhibiting any access to the memo- 
ries' data by clearing the contents of access control 
memory 43. 

Power Up Process 

Now the key validation operation of the present in- 
vention will now be described relative to FIG. 6k As 
shown, the validation operation is performed as part of 
the normal power up operation. As shown in block 620, 
the power up sequence involves the initialization of the 
different elements of security section 103.x, such access 
control memory 43, accumulation comparison flip-flop 
30-2 and end counter 30-3. The key validation operation 
is performed by the execution of the sequence of in- 
structions and operations indicated in FIG. 6b which 
cause the series of actions shown in the table of FIG. S. 

Referring to FIG. 6b t it is seen that following initial- 
ization, ACP 10 addresses the first memory block and 
performs the operations of block 624 by first executing 
a start instruction. As indicated in the table of FIG. 5, 
this causes the most significant address bits of the start 
instruction to be loaded into address latch counter 56. 
At the same time, the middle address bits are forced to 
all zeros for readout of the contents of the first bit loca- 
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tion corresponding to bit LMBO The contents of bit 
LMBO are in turn loaded into the control access storage 
element of control memory 43 associated with the first 
block. If the first block is to be protected, the control 
access storage element is set to a binary ZERO state. 5 
This ensures that the data contents of the block remain 
protected during the key validation process. But if the 
block is not protected, the element is set to a binary 
ONE state. Also, the end counter 30-3 is reset to zero 
while the accumulation compare flip-flop 30-2 is set to a 10 
binary ONE state. 

If the block is not being protected, the start instruc- 
tion is the only instruction required to be executed. That 
is, the ACM block storage flip-flop designated by the 
start instruction is set to a binary ONE as a result of 15 
strobing the binary ONE state of the first bit position 
(LMBO) into that flip-flop. Assuming that the first block 
is protected, ACP 10 then begins executing a plurality 
of step instructions, corresponding in number to the 
number of bits in the key sequence which it can deter- 20 
mine by examining the bits of the key value for that 
block stored in its non-volatile memory as discussed 
above. 

As seen from the table of FIG. 5, each step instruc- 
tion causes the middle address bits stored in the address 25 
latch counter 30-3 to be incremented by one for readout 
of the next lock bit location LMB1. The contents of the 
location LMB1 is compared with the key bit presented 
by ACP 10 which is the first key bit of the sequence to 
be compared. If both compare identically, then no ac- 30 
tion is taken to change the state of accumulation com- 
pare flip-flop 30-2 and it remains in a set state. But if 
there is a miscompare, then the flip-flop 30-2 is reset to 
a binary zero. The step instruction also causes end 
counter 30-3 to be incremented by one if the lock mem- 35 
ory bit read out (LMB1) is a binary one and it compares 
with the key bit being presented. If there is no compari- 
son indicating a miscompare, then end counter 30-3 is 
reset to zero. 

Additionally, if end counter 30-3 exceeds its maxi- 40 
mum count causing an overflow to occur, this will also 
cause compare flip-flop 30-2 to be reset to a binary 
ZERO state. When the end counter 30-3 is incremented 
beyond its maximum value, this is an indication that 
ACP 10 is attempting a comparison beyond the extent 45 
of the lock bits. Since this should never occur during 
normal operation, the compare accumulation flip-flop 
30-2 is reset to ZERO to further inhibit the occurrence 
of a successful match ensuring greater security. 

Assuming that there is no miscompare, ACP 10 con- 50 
tinues by executing a next step instruction which re- 
peats the series of actions described above During such 
execution, each successive one bit will cause end 
counter 30-3 to be incremented by one. Therefore, just 
prior to the execution of the nth step instruction, end 55 
counter 30-3 should have counted 6 successive one bits. 
The execution of the nth step instruction in the absence 
of no miscompare and no overflow will cause the end 
counter to be incremented to its maximum count of 7 
resulting in an output being generated. 60 

Following the execution of the nth step instruction, 
ACP 10 then executes an end instruction for completing 
the key validation operation. This instruction causes the 
states of the end counter 30-3 and accumulation com- 
pare flip-flop 30-2 to be sampled for determining if the 65 
results are correct. If they are both in binary one states, 
then ACP 10 causes the access control element for the 
block to be set to a binary ONE. If the results are not 
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correct, then ACP 10 resets the access control element 
to a binary ZERO state. Also, as indicated in the table 
of FIG. 5, the end instruction causes both end counter 
30-3 and accumulation compare flip-flop 30-2 to be 
reset. 

As shown in FIG. 66, the above described key valida- 
tion operation is repeated for each of the remaining 
blocks to be protected. At the conclusion of the key 
validation process, the secure memory card is ready to 
begin memory operations as described above. If during 
such operations, a user wants to store new information 
within a memory block, the ACP 10 will carry out the 
sequence of operations illustrated in FIG. 6c. As 
shown, the address of the selected block will be loaded 
into address register counter 56. The erase will be per- 
formed in a conventional manner on the block desig- 
nated by the most significant address bits contained in 
counter 56. At the completion of the erase operation 
signaled by the circuits of block 62 of FIG. 3, an output 
signal is generated which causes the setting of lock 
write allow flip-flop 32 to a binary ONE state. 

Next, as indicated by block 644 of FIG. 6c ACP 10 
determines from the stored configuration information if 
the erased block is to be protected. If it is protected, the 
ACP 10 will execute a start instruction. Since the write 
lock allow flip-flop 32 is set, it will modify the operation 
of the start instruction so that it causes a binary ZERO 
to be written into the first bit position (LMBO) of the 
lock memory area of the selected block in lieu of per- 
forming a compare operation. Next, as indicated by 
blocks 648 and 650, the ACP 10 will execute a number 
of step instructions for writing the bits of the key value 
presented by the step instructions into the lock bit posi- 
tions of the selected block until all of the bits have been 
written, signaled by the detection of 7 consecutive 
ONE bits. 

At the conclusion of the writing operation, ACP 10 
executes an end instruction which resets the lock write 
allow flip-flop 32 to a binary ZERO state. Also, the end 
instruction causes the setting of the ACM storage ele- 
ment associated with the block to a binary ONE state 
for allowing access. If the block is not to be protected as 
per the configuration information, the execution of any 
instruction will inhibit the writing of lock bits by caus- 
ing the resetting of the lock write allow flip-flop 32. 
Next, as indicated by block 654 of FIG. 6c, the ACP 10 
executes a start instruction which operates in the nor- 
mal way to transfer the Oth lock bit read out from the 
selected block and strobe it into the ACM storage ele- 
ment associated with that block. 

The above has shown how the present invention is 
able to provide a highly producible and programmable 
key validation system. It will be appreciated by those 
skilled in the art that many changes may be made to the 
preferred embodiment of the present invention without 
departing from its teachings. For example, the invention 
may be used with different types of non-volatile memo- 
ries and different interfaces, etc. Also, the present in- 
vention can be used with memories having block sizes 
that are very small wherein it may be desirable to have 
more than one lock bit per memory for providing a 
sufficiently large key without substantially increasing 
the complexity of the security access control unit. 
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Symbol 



SIGNAL DESCRIPTIONS 
Name and Function 



A0-A16 ADDRESS INPUTS for memory addresses. 
Addresses are internally latched during a 
write cycle. 

D0O-D07 DATA INPUTS/OUTPUTS: Inputs data and 
commands during memory write cycles; outputs 
data during memory and status read cycles. 
The data pins are active high and float to 
tristate off when the chip is deselected or 
the outputs are-disabled. Data is internally 
latched during a write cycle. 

CE CHIP ENABLE: Activates the device's control 
logic, input buffers, decoders and sense 
amplifies. CE is active low, CE high 
deselects the memory device and reduces power 
consumption to standby levels. 

PWD POWERDOWN: Puts the device in deep powerdown 
mode. PWD is active low; PDW high gates 
normal operation- PWD = VHH allows programming 
of the memory blocks. PWD also locks out 
erase or write operations when active low, 
providing data protection during power 
transitions. 

OE OUTPUT ENABLE: Gates the device's outputs 

through the data buffers during a read cycle, 

OE is active low. 
WE WRITE ENABLE: Controls writes to the command 

register and array blocks. WE is acttvelow. 

Addresses and data are latched on the rising 

edge of the WE pulse. 
Vpp ERASE/PROGRAM POWER SUPPLY 

for erasing blocks 

of the array or programming bytes of each 

block. Note: With Vpp < VPP1 Max, memory 

contents cannot be altered When Vpp is at a 

high level, programming can take place; if 

Vpp is at a low level, the memory array 54 

functions as a read only memory. 
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Step Instruction (32H) 

This command is performed once for each bit in the 
key bit sequence. Each command presents one bit of the 
key bit sequence which is compared with a next sequen- 
tial lock bit. When this instruction is performed and the 
lock write enable flip-flop is in the set state following an 
erase operation, it causes the bit presented by the in- 
struction to be written into the designated lock bit loca- 
tion of a memory block. 
End Instruction (33H) 

This command is performed once by ACP 10 to close 
or complete the key validation operation. It samples the 
state of the accumulated comparison flip-flop, tests the 
end counter and enables the setting of the block's access 
15 control storage element if the results are correct. When 
this instruction is performed and the write lock bit en- 
able flip-flop is in the set state, it causes the resetting of 
the lock write enable flip-flop to a binary ZERO state 
for terminating a lock bit write operation in addition to 
20 setting the block's access control storage element for 
providing access. 

While in accordance with the provisions and statutes 
there has been illustrated and described the best form of 
the invention, certain changes may be made without 
25 departing form the spirit of the invention as set forth in 
the appended claims and that in some cases, certain 
features of the invention may be used to advantage 
without a corresponding use of other features. 
What is claimed is: 

1. A secure memory card for use with a host portable 
computer, said memory card comprising: 
a microprocessor connected for transmitting and 
receiving address, data and control information to 
and from said host computer and said microproces- 
sor including: 
an addressable non-volatile memory for storing infor- 
mation including a number of preestablished key 
values, each key value having a length no greater 
than a predetermined number of bits; 
an internal bus connected to said microprocessor for 
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(1) LWE is Lock Write Enable. 

(2) Most Significant Bits of Address arc the Block Address, the remaining bits are ignored. 

(3) LMB0 is First Bit in Lock Memory Array. 

(4) One Bit of Key Data presented for Comparison. 

(5) One Bit of Lock Data presemed for Writing. 



Start Instruction (31H) 

This command is performed once by the ACP 10 to 
begin a key validation operation. If the block is not 
protected (i.e., first lock bit is a ONE), only this one 60 
instruction is required for validation. When this instruc- 
tion is performed and the lock write enable flip-flop is in 
the set state, it causes the bit presented by the instruc- 
tion to be written into the designated first lock bit loca- 
tion (0th) of a memory block. In this case, the MSBs of 65 
the address are not loaded into the address register as 
the block addressed is the same as that of the previous 
erase operation. 



transmitting address, data and control information 
defining memory operations to be performed by 
said card; and, 
at least one non-volatile addressable memory being 
connected to said internal bus in common with said 
microprocessor for receiving said address, data and 
control information, said memory including a 
memory section and a security section, said mem- 
ory section containing a non-volatile memory array 
organized into a number of blocks, each block 
having a plurality of addressable multibit locations, 
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at least a predetermined bit location of each one of 4. The memory card of claim 3 wherein said first 

a predetermined number of said plurality of said command is a start instruction, said predetermined state 

locations being designated as a lock bit location for is a binary ONE state and wherein said address latch 

storing a different bit of a key value which collec- counter has a plurality of storage sections for storing 

tively provide a serially addressable group of lock 5 said most significant bits, said middle significant bits and 

bit locations available for storing said predeter- least significant bits of said address obtained from said 

mined number of bits and control logic means for start instruction. 

performing said memory operations and said secu- 5. The memory card of claim 3 wherein said cora- 
rity section being connected to said control logic mand register in response to each second type of corn- 
means and to said memory section, said security 10 mand generates signals for incrementing by one, said 
section including- end counter onlv wnen said ^ xsi output signal is gener- 

an access control memory having a plurality of ad- *ted °V said bit compare logic means, for switching said 

dressable storage elements, a different one being accumulation compare storage element from said prede- 

assigned to each of said number of blocks of said terauned state to another state in the absence of said 

nonvolatile array; and, 15 ^ <"*P* S1 f * «"* fo ' resettm £ said end ^f* 

a security access control unit coupled to said access whei \ said OTd counte + r ad ^ ces Jf P rede * r " 

control memory, to said internal bus and to said mmed ma ™° P roducm S an overflow condl - 

control logic means, said security access ^ control m $ ^ second 

unit in response to signals received from said con- _ * , . . , 

V , . F if ■ i t ** 20 type of command corresponds to a step instruction and 

troJ logic means performing a key venficaUon op- ^rem said maximum £ ount corresponds to a prede- 

eration by serially comparing each key bit of one of q{ qne ^ Qccurrin m a k value 

sa,d key values with each of the corresponding bits ^ ^ q{ sajd key ^ & 

stored m said group of lock bit locations of a desig- ? ^ me card of claim 3 where in said com- 

nated block and generating an output signal for 25 mand ^ onse t0 a third type of command 

switching one of said plurality of addressable stor- generates signals for t0 a predetermined state, 

age elements to enable reading of information from Qne Qf gaid acce$s control storage elements designated 

a corresponding one of said blocks only when said by $aid most rignfficant address bits when said end 

key verification operation is successfully per- counte r has been advanced to a maximum count and 

formed. 30 said accumulation compare storage element is in said 

2. The memory card of claim 1 wherein said security predetermined state. 

section comprises: g. The memory card of claim 7 wherein said third 
bit compare logic means coupled to said non-volatile t yp e of command corresponds to an end instruction and 
memory array, to said control logic means and to wherein said signals reset said end counter and accumu- 
said internal bus for serially comparing said key bit 35 i at j on compare storage element to zeros when either 
of said one of said key values with said each cone- sa ^ eru j counter has not advanced to said maximum 
sponding bits stored in said group of lock bit loca- count or said accumulator compare storage element in 
tions, said bit compare logic means generating a not - m predetermined state, 
first output signal for signaling a result of each 9 The memory card of claim 1 wherein said memory 
comparison; 40 section further includes erase control means coupled to 
an accumulation compare storage element coupled to gajj memory for performing a selective block erase 
said bit compare logic means for receiving said operation on one of said number of blocks of said non- 
output signal, to said control logic means and to volatile memory array and wherein said security section 
said access control memory, said accumulator further includes a lock write allow storage element 
compare storage element generating a second out- 45 coupled to said erase control means and to said control 
put signal for indicating no miscomparison in any logic means, said lock write allow storage element 
bit comparisons successively made by said bit com- being switched to a predetermined state upon comple- 
pare logic means and, tion of each selective block erase operation, said lock 
an end counter coupled to said non- volatile memory write allow storage element when in said predetermined 
array, to said control logic means and to said access 50 state inhibiting said control logic means from perform- 
control memory, said end counter generating a i n g any write operation on said non-volatile memory 
third output signal for indicating that all of said bits array during a period of time that said lock write allow 
stored in said group of lock bit locations have been storage element remains in said predetermined state, 
read out from said memory, said second and third 10. The secure memory card of claim 9 wherein said 
output signals jointly causing said switching of said 55 lock write allow storage element is switched from said 
one of said plurality of storage elements. predetermined state to another state in response to said 

3. The memory card of claim 2 wherein said control microprocessor applying a predetermined type of corn- 
logic means includes an address latch counter and com- mand to said internal bus. 

mand register coupled to said memory array and to said 11. The secure memory card of claim 10 wherein said 
internal bus for storing addresses and commands respec- 60 predetermined type of command corresponds to an end 

tively received from said internal bus, said register in instruction which is used to indicate completion of said 

response to a first type of command generating signals selective erase operation. 

for setting said accumulation compare storage element 12. The secure memory card of claim 9 wherein said 

to a predetermined state, resetting said end counter to information stored in said addressable non-volatile 
zero and for loading said address latch counter with 65 memory of said microprocessor further includes conflg- 

most significant bits of an address associated with said uration information coded for designating which of said 

command and for making middle significant bits of said number of blocks of said non-volatile memory is to be 

address zeros. protected and wherein said microprocessor executes a 
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predetermined sequence of commands for writing bits 
of one of said preestablished key values into said serially 
addressable group of lock bit locations of an erased 
block which is designated as protected by said configu- 
ration information. 5 

13. The secure memory card of claim 12 wherein said 
predetermined sequence of commands includes a first 
type of command for setting a first lock bit location of 
said group of lock bit locations of said erased block to a 
predetermined state for ensuring protection of infonna- 10 
tion subsequently loaded into said addressable multibit 
locations of said erased block. 

14. The secure memory card of claim 13 wherein said 
predetermined state is a binary ZERO state requiring 
that information subsequently loaded into said erased 
block must be erased in order to reset said first lock bit 
location to enable access to said information and 
wherein said first type of command is start command. 

15. The secure memory card of claim 13 wherein said 2 q 
predetermined sequence of commands includes a num- 
ber of second type of commands, each second type of 
command causing a different one of said bits of one of 
said key values to be serially written into other lock bit 
locations of said group until all of said bits of said one of 25 
said key values have been stored. 

16. The secure memory card of claim 15 wherein 
each of said key values is coded according to a predeter- 
mined protocol pattern. 

17. The secure memory card of claim 15 wherein said 30 
second type of command is a step instruction and said 
number of said second type of commands corresponds 

to a number of bits contained in said key value. 
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18. The secure memory card of claim 15 wherein said 
predetermined sequence of commands includes said 
predetermined command as a last command in said 
sequence, said predetermined command setting one of 
said plurality of addressable storage elements of said 
access control memory to a predetermined state for 
enabling access to said erased block for loading said 
storage locations with information thereby completing 
said selective block erase operation. 

19. The secure memory card of claim 16 wherein said 
predetermined protocol pattern contains a predeter- 
mined number of successive binary ONE bit for signal- 
ing an end of said key value. 

20. The secure memory card of claim 1 wherein said 
information stored in said addressable non-volatile 
memory of said microprocessor further includes config- 
uration information coded for designating which ones 
of said number of blocks of said non-volatile memory 
are to be protected and wherein said microprocessor 
further includes commands for configuring said non- 
volatile memory array according to said configuration 
information, said commands causing said control logic 
means to set first lock bit locations of all of said blocks 
designated as protected by said configuration informa- 
tion, to write bits of corresponding ones of said key 
values into said groups of lock bit locations of all of said 
blocks designated as protected and to set to a predeter- 
mined state, all of said storage elements of said access 
control memory assigned to protected blocks thereby 
enabling information to be loaded therein for complet- 
ing initial configuring of said non-volatile memory ar- 
ray. 

***** 
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